From 35de676fcbab7d12ce6917c68d99f4c0f4cf31e0 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 11:20:24 -0400 Subject: [PATCH] import CS dnf-plugins-core-4.3.0-26.el9 --- ...dnf4-multisig-8-manual-page-to-dnf-m.patch | 78 ++++++++++++++++ ...ment-that-local-packages-are-not-aff.patch | 36 ++++++++ ...untrusted-signatures-if-there-is-tru.patch | 92 +++++++++++++++++++ SPECS/dnf-plugins-core.spec | 16 +++- 4 files changed, 220 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch create mode 100644 SOURCES/0026-versionlock-Document-that-local-packages-are-not-aff.patch create mode 100644 SOURCES/0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch diff --git a/SOURCES/0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch b/SOURCES/0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch new file mode 100644 index 0000000..192af35 --- /dev/null +++ b/SOURCES/0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch @@ -0,0 +1,78 @@ +From e1aebc68eb031f3e91ed39a0b145589f1a4a1734 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 3 Oct 2025 12:23:11 +0200 +Subject: [PATCH] multisig: Rename dnf4-multisig(8) manual page to + dnf-multisig(8) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To align with all other plugin manual pages. +Create dnf4-multisig(8) symlink for compatibility. + +FILE(CREATE_LINK) is available since cmake 3.14. + +Resolve: https://issues.redhat.com/browse/RHEL-117134 +Signed-off-by: Petr Písař +--- + CMakeLists.txt | 2 +- + dnf-plugins-core.spec | 2 +- + doc/CMakeLists.txt | 4 ++++ + doc/conf.py | 2 +- + 4 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index a1eea7b..86225e7 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1,5 +1,5 @@ + PROJECT (dnf-plugins-core NONE) +-CMAKE_MINIMUM_REQUIRED (VERSION 2.4) ++CMAKE_MINIMUM_REQUIRED (VERSION 3.14) + + if (NOT WITHOUT_LOCAL) + set (WITHOUT_LOCAL "0") +diff --git a/dnf-plugins-core.spec b/dnf-plugins-core.spec +index cb3b1b8..ff6beea 100644 +--- a/dnf-plugins-core.spec ++++ b/dnf-plugins-core.spec +@@ -40,7 +40,7 @@ License: GPLv2+ + URL: https://github.com/rpm-software-management/dnf-plugins-core + Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + BuildArch: noarch +-BuildRequires: cmake ++BuildRequires: cmake >= 3.14 + BuildRequires: gettext + # Documentation + %if %{with python3} +diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt +index 297506a..75e74bb 100644 +--- a/doc/CMakeLists.txt ++++ b/doc/CMakeLists.txt +@@ -48,6 +48,10 @@ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf-migrate.8 + endif() + + if (${PYTHON_VERSION_MAJOR} STREQUAL "3") ++INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf-multisig.8 ++ DESTINATION share/man/man8) ++FILE(CREATE_LINK dnf-multisig.8 ${CMAKE_CURRENT_BINARY_DIR}/dnf4-multisig.8 ++ SYMBOLIC) + INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf4-multisig.8 + DESTINATION share/man/man8) + endif() +diff --git a/doc/conf.py b/doc/conf.py +index 2845d18..225ae5f 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -301,7 +301,7 @@ if sys.version_info[0] < 3: + man_pages.append(('migrate', 'dnf-migrate', u'DNF migrate Plugin', AUTHORS, 8)) + + if sys.version_info[0] == 3: +- man_pages.append(('multisig', 'dnf4-multisig', u'DNF multisig Plugin', AUTHORS, 8)) ++ man_pages.append(('multisig', 'dnf-multisig', u'DNF multisig Plugin', AUTHORS, 8)) + + # If true, show URL addresses after external links. + #man_show_urls = False +-- +2.51.0 + diff --git a/SOURCES/0026-versionlock-Document-that-local-packages-are-not-aff.patch b/SOURCES/0026-versionlock-Document-that-local-packages-are-not-aff.patch new file mode 100644 index 0000000..6005b70 --- /dev/null +++ b/SOURCES/0026-versionlock-Document-that-local-packages-are-not-aff.patch @@ -0,0 +1,36 @@ +From c3ddd35dc52d504b8c2875fccaf2559a02ca1a77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 1 Dec 2025 17:40:46 +0100 +Subject: [PATCH] versionlock: Document that local packages are not affected + +Upstream commit: fa966d83e340c5df12942656da0f8c5c66eac556 + +Local packages are added to a sack after the versionlock plugin logic +runs, so the plugin cannot exclude them from an installation. + +This patch documents this deficiency. + +Resolve: #585 +Resolve: https://issues.redhat.com/browse/RHEL-94014 +Resolve: https://issues.redhat.com/browse/RHEL-94828 +--- + doc/versionlock.rst | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/doc/versionlock.rst b/doc/versionlock.rst +index 1ac7196..c4a931c 100644 +--- a/doc/versionlock.rst ++++ b/doc/versionlock.rst +@@ -47,6 +47,9 @@ excludes a package that matches the version exactly. + Note the versionlock plugin does not apply any excludes in non-transactional + operations like `repoquery`, `list`, `info`, etc. + ++Note that the versionlock plugin only applies to in-repository packages. ++Packages passed on the DNF command line as local files won't be affected. ++ + -------- + Synopsis + -------- +-- +2.52.0 + diff --git a/SOURCES/0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch b/SOURCES/0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch new file mode 100644 index 0000000..84b093f --- /dev/null +++ b/SOURCES/0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch @@ -0,0 +1,92 @@ +From d5845419b417241436d5104e352e6891f1a4ceac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 30 Jan 2026 17:13:55 +0100 +Subject: [PATCH] multisig: Ignore untrusted signatures if there is trusted one + +Ported from dnf commit: 00fef9ad0d761eccf8d86580e031f442af9cd8ef + +With RPMv6 signatures, there can be multiple signatures attached to +a single package. If some signatures are made with an algorithm +disabled in a system-wide crypto policy (e.g. rsa4096 = "never" in +/etc/crypto-policies/back-ends/rpm-sequoia.config), but other +signatures are valid and trusted, so that the package is overall +correctly signed: + + # /usr/lib/pqrpm/bin/rpmkeys -v -K ./foo-0-1.fc43.noarch.rpm; echo $? + ./foo-0-1.fc43.noarch.rpm: + Header V4 EdDSA/SHA512 Signature, key ID e2b145f3: OK + Header V4 RSA/SHA512 Signature, key ID b5e56945: NOTTRUSTED + Header SHA256 digest: OK + Header SHA1 digest: OK + Payload SHA256 digest: OK + 0 + +DNF failed like this: + + [...] + Is this ok [y/N]: y + Downloading Packages: + Running transaction check + Transaction check succeeded. + Running transaction test + Transaction test succeeded. + norsa 1.6 MB/s | 1.6 kB 00:00 + Importing GPG keys from: /root/repos/norsa/rsa.key + Is this ok [y/N]: y + Key import failed. Failing package is: foo-0-1.fc43.noarch + GPG Keys are configured as: file:///root/repos/norsa/rsa.key, file:///root/repos/norsa/eddsa.key + Error: GPG check FAILED + +The cause was that an output of pqrpm's "rpmkeys -v -K" tool executed +indirectly by Multisig plugin was incorrectly parsed in +_process_rpm_output() function. That function assumed that only one +signature can exist and reported on any NOTTRUSTED record that the +package is not trustfully signed. + +As a result, the plugin attempted to (re)import all the signing keys. But +importing a key with the disabled algorithm failed and DNF errored. + +This patch fixes parsing the rpmkeys output to ignore all untrusted +signatures if there is at least one signature trusted. + +Resolve: https://issues.redhat.com/browse/RHEL-145372 +--- + plugins/multisig.py | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/plugins/multisig.py b/plugins/multisig.py +index f29e41f..b05704c 100644 +--- a/plugins/multisig.py ++++ b/plugins/multisig.py +@@ -55,7 +55,7 @@ class MultiSig(dnf.Plugin): + # last newline. + if len(data) < 3 or data[0] != b'-:' or data[-1]: + return 2 +- seen_sig, missing_key, not_trusted, not_signed = False, False, False, False ++ trusted_sig, missing_key, not_trusted, not_signed = False, False, False, False + for i in data[1:-1]: + if b': BAD' in i: + return 2 +@@ -65,12 +65,16 @@ class MultiSig(dnf.Plugin): + not_trusted = True + elif i.endswith(b': NOTFOUND'): + not_signed = True ++ # Some rpmkeys versions print Signature, some signature, accept both. ++ elif i.endswith(b': OK') and b'ignature,' in i: ++ trusted_sig = True + elif not i.endswith(b': OK'): + return 2 +- if not_trusted: +- return 3 +- elif missing_key: ++ if missing_key: + return 1 ++ elif not trusted_sig and not_trusted: ++ # Do not report untrusted signatures if there is a trusted one ++ return 3 + elif not_signed: + return 4 + # we still check return code, so this is safe +-- +2.53.0 + diff --git a/SPECS/dnf-plugins-core.spec b/SPECS/dnf-plugins-core.spec index b37a196..09fad3f 100644 --- a/SPECS/dnf-plugins-core.spec +++ b/SPECS/dnf-plugins-core.spec @@ -34,7 +34,7 @@ Name: dnf-plugins-core Version: 4.3.0 -Release: 23%{?dist} +Release: 26%{?dist} Summary: Core Plugins for DNF License: GPLv2+ URL: https://github.com/rpm-software-management/dnf-plugins-core @@ -60,9 +60,12 @@ Patch21: 0021-dnf-copr-enable-on-Asahi-Fedora-Linux-Remix-guesses.patch Patch22: 0022-reposync-Avoid-multiple-downloads-of-duplicate-packa.patch Patch23: 0023-multisig-A-new-plugin-for-verifying-extraordinary-RP.patch Patch24: 0024-multisig-Do-not-parse-OpenPGP-keys.patch +Patch25: 0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch +Patch26: 0026-versionlock-Document-that-local-packages-are-not-aff.patch +Patch27: 0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch BuildArch: noarch -BuildRequires: cmake +BuildRequires: cmake >= 3.14 BuildRequires: gettext # Documentation %if %{with python3} @@ -826,6 +829,15 @@ ln -sf %{_mandir}/man1/%{yum_utils_subpackage_name}.1.gz %{buildroot}%{_mandir}/ %endif %changelog +* Wed Feb 11 2026 Petr Pisar - 4.3.0-26 +- Multisig: ignore untrusted signatures if there is trusted one (RHEL-145372) + +* Tue Dec 02 2025 Petr Pisar - 4.3.0-25 +- Document that local packages are not affected by versionlock (RHEL-94014) + +* Fri Oct 03 2025 Petr Pisar - 4.3.0-24 +- Rename dnf4-multisig(8) manual page to dnf-multisig(8) (RHEL-117134) + * Mon Sep 15 2025 Petr Pisar - 4.3.0-23 - Fix importing OpenPGPv6 keys (RHEL-114424)